Security & compliance
Your data deserves enterprise-grade protection. AES-256 encryption, least-privilege access controls, and active compliance programs for SOC 2, HIPAA, and GDPR.
Compliance & certifications
SOC 2
In Progress
HIPAA
Readiness
PCI DSS
Level 1
GDPR
Compliant
AES-256
Encryption
TLS 1.3
Encryption
BAAs
Available
Security practices
How we protect your data at every layer
Encryption at rest and in transit
All data is encrypted with AES-256 at rest and TLS 1.3 in transit. Customer data is isolated at the storage layer with per-tenant encryption keys.
Access control
We implement least-privilege access across all systems. All access is authenticated via SSO/SAML, logged, and audited quarterly. Production access requires break-glass procedures.
Audit logging
Every API request, configuration change, and access event is logged immutably. Logs are retained for 12 months and are available for customer export on Enterprise plans.
Vulnerability management
We run continuous SAST, DAST, and dependency scanning. Critical vulnerabilities are patched within 24 hours. We maintain a responsible disclosure program with bounties up to $50,000.
Data residency
Data can be restricted to US, EU, or APAC regions. Enterprise customers can deploy on-premise or in a dedicated VPC within AWS, GCP, or Azure.
Incident response
We maintain a documented incident response plan tested through quarterly tabletop exercises. Our security team is on-call 24/7 for critical incidents with a 15-minute initial response SLA.
Frequently asked questions
SignalStack is pursuing SOC 2 Type II compliance. Our infrastructure is hosted on SOC 2 compliant providers, and we are in the process of obtaining our own certification. Enterprise customers can request an update on our progress.
Yes. SignalStack is fully GDPR compliant. We have a Data Processing Agreement (DPA) available for all customers. Data can be processed and stored in the EU. See our GDPR page for details.
By default, data is stored in US-based AWS data centers. Enterprise customers can choose data residency in US, EU (Frankfurt), or APAC (Sydney). On-premise deployment is available for air-gapped environments.
No. We never train models on customer API request data, verification results, or uploaded documents. Customer data is strictly isolated and used only to fulfill API requests.
All data in transit is encrypted with TLS 1.3. Data at rest is encrypted with AES-256 using per-tenant keys managed through AWS KMS. We support customer-managed encryption keys (CMEK) on Enterprise plans.
Yes. We maintain a responsible disclosure program with rewards ranging from $500 to $50,000 depending on the severity of the finding. Report vulnerabilities to security@signal-stack-ten.vercel.app.
Starter plan: 99.5% uptime. Business plan: 99.9% uptime. Enterprise plan: 99.99% uptime with dedicated SLAs and credits for non-compliance.
We maintain a current list of subprocessors on our Subprocessors page. Customers are notified at least 30 days before adding or changing subprocessors. Enterprise customers can approve or object to changes.